smokeloader | 5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715

General

Target

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Size

311KB
MD5

3a7ac1ac60baac512bf45e412aacb90c
SHA1

d579493a2190a8f6f44a9094148a494c5368cdc7
SHA256

5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715
SHA512

08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9
SSDEEP

6144:mLVf3fw4e0wZ4EJjz9QkLOfIf/Hp9hLVxCygVM:4IjZZ4IH9QkOfIfPhJxC9

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3380
Executes dropped EXE 2 IoCs

Processes:

wjsfhdfwjsfhdf

pid process

1376 wjsfhdf
3028 wjsfhdf

pid	process
3380

pid	process
1376	wjsfhdf
3028	wjsfhdf

Suspicious use of SetThreadContext 2 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exewjsfhdf

description	pid	process	target process
PID 3548 set thread context of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1376 set thread context of 3028	1376	wjsfhdf	wjsfhdf

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

544 4112 WerFault.exe 3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
2280 3028 WerFault.exe wjsfhdf

pid	pid_target	process	target process
544	4112	WerFault.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
2280	3028	WerFault.exe	wjsfhdf

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exewjsfhdf

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjsfhdf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjsfhdf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjsfhdf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe

pid	process
4112	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
4112	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exewjsfhdf

pid process

4112 3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
3028 wjsfhdf

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3380

pid	process
3380

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exewjsfhdf

description	pid	process	target process
PID 3548 wrote to memory of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 3548 wrote to memory of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 3548 wrote to memory of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 3548 wrote to memory of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 3548 wrote to memory of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 3548 wrote to memory of 4112	3548	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1376 wrote to memory of 3028	1376	wjsfhdf	wjsfhdf
PID 1376 wrote to memory of 3028	1376	wjsfhdf	wjsfhdf
PID 1376 wrote to memory of 3028	1376	wjsfhdf	wjsfhdf
PID 1376 wrote to memory of 3028	1376	wjsfhdf	wjsfhdf
PID 1376 wrote to memory of 3028	1376	wjsfhdf	wjsfhdf
PID 1376 wrote to memory of 3028	1376	wjsfhdf	wjsfhdf

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 328
3⤵
- Program crash
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4112 -ip 4112
1⤵
PID:3400

C:\Users\Admin\AppData\Roaming\wjsfhdf
C:\Users\Admin\AppData\Roaming\wjsfhdf
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Roaming\wjsfhdf
C:\Users\Admin\AppData\Roaming\wjsfhdf
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 328
3⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3028 -ip 3028
1⤵
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wjsfhdf
Filesize
311KB

MD5
3a7ac1ac60baac512bf45e412aacb90c

SHA1
d579493a2190a8f6f44a9094148a494c5368cdc7

SHA256
5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715

SHA512
08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9

Download Submit
memory/1376-17-0x00000000017C0000-0x00000000018C0000-memory.dmp

Filesize
1024KB

Download
memory/3028-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3380-6-0x0000000003260000-0x0000000003276000-memory.dmp

Filesize
88KB

Download
memory/3380-20-0x0000000003290000-0x00000000032A6000-memory.dmp

Filesize
88KB

Download
memory/3548-1-0x0000000001980000-0x0000000001A80000-memory.dmp

Filesize
1024KB

Download
memory/3548-2-0x0000000001920000-0x0000000001929000-memory.dmp

Filesize
36KB

Download
memory/4112-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4112-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4112-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4112-9-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/4112-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads